← 返回 Skills 市场
wenbingyu

Hologres Privileges

作者 francis · GitHub ↗ · v0.2.0 · MIT-0
cross-platform ✓ 安全检测通过
83
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install hologres-privileges
功能描述
Hologres privilege management using PostgreSQL standard authorization model (expert permission model). Use for creating users, granting/revoking Schema/table...
使用说明 (SKILL.md)

Prerequisites

This skill requires hologres-cli to be installed first:

pip install hologres-cli
export HOLOGRES_SKILL=hologres-privileges

All SQL execution depends on hologres-cli commands (hologres sql run --write).

Hologres Privilege Management (Expert Permission Model)

Manage fine-grained access control in Hologres using standard PostgreSQL GRANT/REVOKE syntax.

Permission Model Overview

Hologres provides three permission models. This skill focuses on the Expert Model.

Model Granularity Use Case
Expert (PostgreSQL Standard) Table/Column/View level Fine-grained control, per-table/per-user
SPM (Simple Permission Model) Database level Quick setup, 4 preset role groups
SLPM (Schema-Level Permission Model) Schema level Multi-team isolation with simplified management

The expert model uses standard PostgreSQL GRANT/REVOKE syntax. It only applies to existing objects — use ALTER DEFAULT PRIVILEGES for future objects.

Quick Start

-- 1. Create user (RAM user format: p4_\x3Cuid>)
CREATE USER "p4_1822780xxx";

-- 2. Grant Schema access (required for any table query)
GRANT USAGE ON SCHEMA public TO "p4_1822780xxx";

-- 3. Grant table read permission
GRANT SELECT ON TABLE public.orders TO "p4_1822780xxx";

-- 4. Verify permission
SELECT has_table_privilege('p4_1822780xxx', 'public.orders', 'SELECT');

User Management

Account Types

Type Format Example
Alibaba Cloud main account Numeric UID 11822780xxx
RAM sub-account p4_ + UID p4_1822780xxx
Custom user (BASIC) BASIC$ + name BASIC$dev_user

Create Users

-- Create user with login privilege
CREATE USER "p4_1822780xxx";

-- Create user as Superuser
CREATE USER "p4_1822780xxx" SUPERUSER;

-- Create custom user with password
CREATE USER "BASIC$dev_user" WITH PASSWORD 'secure_password';

Alter Users

-- Promote to Superuser
ALTER USER "p4_1822780xxx" SUPERUSER;

-- Demote to normal user
ALTER USER "p4_1822780xxx" NOSUPERUSER;

-- Change custom user password
ALTER USER "BASIC$dev_user" WITH PASSWORD 'new_password';

Delete Users

-- Drop user (no owned objects)
DROP USER "p4_1822780xxx";

-- Drop user with owned objects (transfer first)
REASSIGN OWNED BY "p4_old_uid" TO "p4_new_uid";
DROP USER "p4_old_uid";

Core Grant Syntax

Schema Privileges

-- Grant Schema access (required before any table query)
GRANT USAGE ON SCHEMA schema_name TO "user_id";

-- Grant ability to create tables in Schema
GRANT CREATE ON SCHEMA schema_name TO "user_id";

Table Privileges

-- Grant specific privileges on a single table
GRANT SELECT ON TABLE schema_name.table_name TO "user_id";
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE schema_name.table_name TO "user_id";

-- Grant on all existing tables in a Schema
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "user_id";

-- Grant to all users
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO PUBLIC;

Column Privileges

-- Grant SELECT on specific columns only
GRANT SELECT (column1, column2) ON TABLE schema_name.table_name TO "user_id";

View Privileges

GRANT SELECT ON view_name TO "user_id";

Grant with Transfer (WITH GRANT OPTION)

-- Allow the grantee to re-grant this privilege to others
GRANT SELECT ON TABLE schema_name.table_name TO "user_id" WITH GRANT OPTION;

Owner Transfer

Only the table Owner or Superuser can DROP/ALTER a table.

-- Transfer table ownership
ALTER TABLE schema_name.table_name OWNER TO "user_id";

-- Transfer ownership to a role group
ALTER TABLE schema_name.table_name OWNER TO role_name;

Default Privileges (Future Objects)

GRANT only applies to existing objects. Use ALTER DEFAULT PRIVILEGES so that future tables automatically inherit permissions.

-- All future tables created by user1 in public schema are readable by everyone
ALTER DEFAULT PRIVILEGES FOR ROLE "user1" IN SCHEMA public
  GRANT SELECT ON TABLES TO PUBLIC;

-- Only user2 can read future tables created by user1
ALTER DEFAULT PRIVILEGES FOR ROLE "user1" IN SCHEMA public
  GRANT SELECT ON TABLES TO "user2";

-- Revoke a default privilege rule
ALTER DEFAULT PRIVILEGES FOR ROLE "user1" IN SCHEMA public
  REVOKE SELECT ON TABLES FROM PUBLIC;

-- Check current default privilege settings
SELECT pg_catalog.pg_get_userbyid(d.defaclrole) AS "Owner",
  n.nspname AS "Schema",
  CASE d.defaclobjtype
    WHEN 'r' THEN 'table' WHEN 'S' THEN 'sequence'
    WHEN 'f' THEN 'function' WHEN 'T' THEN 'type'
  END AS "Type",
  pg_catalog.array_to_string(d.defaclacl, E'\
') AS "Access privileges"
FROM pg_catalog.pg_default_acl d
LEFT JOIN pg_catalog.pg_namespace n ON n.oid = d.defaclnamespace
ORDER BY 1, 2, 3;

Important: ALTER DEFAULT PRIVILEGES FOR ROLE "X" only applies when user X creates the object. If another user creates tables, the rule does not trigger.

Revoke Privileges

Scope SQL
Single table REVOKE SELECT ON TABLE schema.table FROM "user_id";
All tables in Schema REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "user_id";
Schema access REVOKE USAGE ON SCHEMA schema_name FROM "user_id";
Column privilege REVOKE SELECT (col1) ON TABLE schema.table FROM "user_id";

Permission Diagnostics Quick Reference

-- List all roles with key attributes
SELECT rolname, rolsuper, rolcanlogin FROM pg_roles;

-- Check if a user has SELECT on a specific table
SELECT has_table_privilege('user_id', 'schema.table', 'SELECT');

-- List all table grants for a specific role
SELECT table_schema, table_name, privilege_type
FROM information_schema.role_table_grants
WHERE grantee = 'user_id';

-- Find all users with any privilege on a specific table
SELECT rolname FROM pg_roles
WHERE has_table_privilege(rolname, 'schema.table', 'SELECT');

For more diagnostic queries, see diagnostic-queries.md.

Common Errors and Troubleshooting

Error Cause Solution
permission denied for table xxx Missing table privilege GRANT SELECT ON TABLE xxx TO "user";
must be the owner of table xxx Non-owner attempting DDL ALTER TABLE xxx OWNER TO "user";
permission denied for Schema xxx Missing Schema USAGE GRANT USAGE ON SCHEMA xxx TO "user";

References

Document Content
grant-revoke-reference.md Complete GRANT/REVOKE syntax reference
diagnostic-queries.md Permission diagnostic SQL collection
best-practices.md Role group planning best practices

Best Practices

  1. Never use the main account for business queries — create dedicated users
  2. Always GRANT USAGE ON SCHEMA first — without it, no table queries work
  3. Use role groups instead of per-user grants — create project_dev, project_write, project_view roles
  4. Use ALTER DEFAULT PRIVILEGES for future tables — combine with GRANT ON ALL TABLES for existing tables
  5. Regularly audit permissions with diagnostic SQL from diagnostic-queries.md
  6. Transfer ownership before dropping users — use REASSIGN OWNED BY
  7. Enable catalog RLS on V3.0+ to protect metadata visibility (hg_experimental_enable_catalog_rls)
安全使用建议
Install only if you need Hologres database privilege administration. Before running any generated SQL, verify the target database and account, review grants to PUBLIC or ALL TABLES carefully, and require explicit approval for SUPERUSER, DROP USER, ownership-transfer, and default-privilege changes.
功能分析
Type: OpenClaw Skill Name: hologres-privileges Version: 0.2.0 The skill bundle provides comprehensive instructions and SQL templates for managing Hologres privileges using the PostgreSQL expert permission model. It includes documentation on user management, role-based access control, and diagnostic queries (e.g., in references/diagnostic-queries.md). No evidence of malicious behavior, data exfiltration, or prompt injection was found; the content is strictly aligned with its stated purpose of database administration and follows standard security practices for the Hologres platform.
能力评估
Purpose & Capability
Purpose and capability align: SKILL.md describes Hologres user, role, GRANT/REVOKE, ownership, and default-privilege management. These are high-impact database administration actions, but they are disclosed and central to the stated purpose.
Instruction Scope
The visible instructions are SQL examples and references, including broad examples such as SUPERUSER grants and grants to PUBLIC. They appear instructional rather than hidden or automatic, but users should require explicit review before applying them.
Install Mechanism
SKILL.md asks the user to run `pip install hologres-cli`, while the registry metadata has no install spec or required binary declaration. This is a purpose-aligned setup gap rather than evidence of malicious behavior.
Credentials
No code files, hidden endpoints, required credentials, or broad local file access are present in the provided artifacts; the expected environment dependency is a Hologres CLI/database connection.
Persistence & Privilege
The skill covers persistent database state changes such as users, roles, ownership, grants, revokes, and default privileges for future objects. That persistence is expected for a privilege-management skill, but changes can outlive the current task.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install hologres-privileges
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /hologres-privileges 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
- Added comprehensive documentation covering Hologres privilege management using the PostgreSQL standard (Expert) authorization model. - Included quick start guides for user creation, privilege grants, and diagnostics. - Detailed instructions for managing schema, table, column, and view privileges. - Explained default privileges setup for future objects. - Added common error troubleshooting, best practice recommendations, and reference links for further diagnostics and advanced scenarios.
元数据
Slug hologres-privileges
版本 0.2.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Hologres Privileges 是什么?

Hologres privilege management using PostgreSQL standard authorization model (expert permission model). Use for creating users, granting/revoking Schema/table... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 83 次。

如何安装 Hologres Privileges?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install hologres-privileges」即可一键安装,无需额外配置。

Hologres Privileges 是免费的吗?

是的,Hologres Privileges 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Hologres Privileges 支持哪些平台?

Hologres Privileges 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Hologres Privileges?

由 francis(@wenbingyu)开发并维护,当前版本 v0.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论